Critical WordPress Flaw Grants Admin Access to Any Registered Site User

November 19, 2018

The privilege-escalation vulnerability would allow an attacker to inject malware, place ads and load custom code on an impacted website.

Another day, another critical WordPress plugin vulnerability. The popular AMP for WP plugin, which helps WordPress sites load faster on mobile browsers, has a privilege-escalation flaw that allows WordPress site users of any level to make administrative changes to a website.

The plugin, which has over 100,000 active installs according to its webpage, adds support for Google’s mobile site acceleration tool, dubbed Google Accelerated Mobile Pages (AMP). Researchers at WebARX Security discovered that the plugin didn’t include a check to verify the account permissions of the currently logged in user. In turn, that lack of permission verification opens up admin API access to anyone with a login for a site.

Read More on Threat Post